vulnerability

SUSE: CVE-2022-22941: SUSE Linux Security Advisory

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
6	(AV:N/AC:M/Au:S/C:P/I:P/A:P)	Mar 29, 2022	Oct 26, 2022	Oct 26, 2022

Severity

CVSS

(AV:N/AC:M/Au:S/C:P/I:P/A:P)

Published

Mar 29, 2022

Added

Oct 26, 2022

Modified

Oct 26, 2022

Description

An issue was discovered in SaltStack Salt in versions before 3002.8, 3003.4, 3004.1. When configured as a Master-of-Masters, with a publisher_acl, if a user configured in the publisher_acl targets any minion connected to the Syndic, the Salt Master incorrectly interpreted no valid targets as valid, allowing configured users to target any of the minions connected to the syndic with their configured commands. This requires a syndic master combined with publisher_acl configured on the Master-of-Masters, allowing users specified in the publisher_acl to bypass permissions, publishing authorized commands to any configured minion.

Solutions

suse-upgrade-python2-saltsuse-upgrade-python3-saltsuse-upgrade-saltsuse-upgrade-salt-apisuse-upgrade-salt-bash-completionsuse-upgrade-salt-cloudsuse-upgrade-salt-docsuse-upgrade-salt-fish-completionsuse-upgrade-salt-mastersuse-upgrade-salt-minionsuse-upgrade-salt-proxysuse-upgrade-salt-sshsuse-upgrade-salt-standalone-formulas-configurationsuse-upgrade-salt-syndicsuse-upgrade-salt-transactional-updatesuse-upgrade-salt-zsh-completion

References

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report